Postfix logs disordered

Mon, 14 Mar 2016 05:59:13 -0700 

Hi,

I am developing a parser for postfix which interact with logstash and
elasticsearch. The architecture use Sophos puremessage for
antispam/antivirus.
I am facing an "issue" with logs. I want to process the logs on the fly.
When a message come into the system, postfix process it, send it to the
sophos and then sophos send it back to postfix.

Postfix ID1 -> Sophos -> Postfix ID2

I think postfix for performance reason writes logs after processing
messages. I can see this kind of situation in my logs :


Jan  9 08:03:24 smtp1 postfix/smtpd[21740]: 3pcshX6GNMz11r4C: client=xxxx
Jan  9 08:03:25 smtp1 postfix/cleanup[24891]: 3pcshX6GNMz11r4C:
message-id=<1128173832.11432.1452323000636.JavaMail.Administrator@localhost>

Jan  9 08:03:25 smtp1 postfix/qmgr[30181]: 3pcshX6GNMz11r4C: from=<
yyyyy...@yyyyyyy.no>, size=17921, nrcpt=1 (queue active)
Jan  9 08:03:25 smtp1 postfix/smtpd[17088]: 3pcshY5H0dz11r4G:
client=localhost.localdomain[127.0.0.1]
Jan  9 08:03:25 smtp1 postfix/cleanup[24894]: 3pcshY5H0dz11r4G:
message-id=<1128173832.11432.1452323000636.JavaMail.Administrator@localhost>

Jan  9 08:03:25 smtp1 postfix/qmgr[30181]: 3pcshY5H0dz11r4G: from=<
yyyyyy...@yyyyyyy.no>, size=19065, nrcpt=1 (queue active)
Jan  9 08:03:25 smtp1 postfix/smtp[24892]: 3pcshX6GNMz11r4C: to=<
xxxx...@xxxxx.com>, relay=127.0.0.1[127.0.0.1]:10025, delay=1.1,
delays=0.45/0/0/0.66, dsn=2.0.0, status=sent (250 OK, sent
5690B0BD_13054_6511_1 3pcshY5H0dz11r4G)
Jan  9 08:03:25 smtp1 postfix/qmgr[30181]: 3pcshX6GNMz11r4C: removed
Jan  9 08:03:25 smtp1 postfix/smtp[24895]: 3pcshY5H0dz11r4G: to=<
xxxx...@xxxxx.com>, relay=mailhost1.b2gmom.internal.tld[10.219.4.
69]:25, delay=0.07, delays=0.05/0.01/0/0.01, dsn=2.5.0, status=sent (250
2.5.0 Ok, envelope id 0o0o008gublp3...@xxxxxxx.internal.tld)
Jan  9 08:03:25 smtp1 postfix/qmgr[30181]: 3pcshY5H0dz11r4G: removed


My goal is to regroup this informations in only one record in
elasticsearch, so i use "(250 OK, sent 5690B0BD_13054_6511_1
3pcshY5H0dz11r4G)" to follow the message until the end of process.
Unfortunately the second Postfix ID is logged before this information.

Can you help me with this issue ?


Thanks for your replies :)

Regards.

nebojsa

Reply via email to